Your Complete Guide to the ISO 27001 Standard

07 December 2015

ISO 27001 is an information security management standard that proves an organisation has structured its IT to effectively manage its risks.

ISO 27001 is an information security management standard that proves an organisation has structured its IT to effectively manage its risks. When your company displays the ISO 27001, your customers will know that you have policies in place to protect their information from today’s big threats.

The 27000 series of certifications cover a variety of information security. You can optimise your time and energy by focusing on just ISO 27001, arguably the best-known and top preparation standard designed to protect your network through an information security management system (ISMS).

ISO 27001 is recognised internationally and is appropriate for any company. You’ll see ISO certifications for non-profits, major corporations, boutique security firms, small e-tailers and even state and federal organisations. The standard comes from the ISO and IEC, two organisations who have made a name in standardisation as well as information security.

Conservatively estimated, cyber threats cost the global economy $375 billion in losses each year. Some put the cost as high as $575 billion.

You take threats seriously and ISO 27001 is the smart way to let others know. Learn how to store data securely, examine new risks and create a culture that minimises risk by seeking ISO 27001 certification.

What Is ISO 27001?

The ISO 27001 standard has become the most popular information security standard in the world with hundreds of thousands of companies acquiring certification. The standard is routinely updated to ensure that it teaches companies how to protect themselves and mitigate risks against today’s current threats.

These threats are among those the ISO 27001 helps you plan for:

Cybercrime

Data vandalism

Errors related to integration with unprotected partnerships or warehouses

Internal data theft

Loss of data due to misuse or malfeasance

Misuse of information

Network breaches through third-party connections

Personal data breaches

State-sanctioned cyber attacks

Terrorists attacks

Theft

Viral attacks

Think of the security protocol as a mindset. ISO 27001 doesn’t give you a step-by-step guide to protecting assets. Instead, it provides you with a framework to apply to any threats or risks you face. This means it can be tough to implement at first, but proper training will keep your organisation safe for a long time.

Why Isn’t There a List to Follow?

ISO standards work this way because no single list works for every company — or even every division. Your organisation likely has some departments that generate new customer information every day, while others add employee information only once a month. Extending protection to both of these on the same schedule would either leave customer information vulnerable for extended periods of time or cause your HR department to continuously perform work it didn’t need.

You don’t get a list, but you do get a mindset. You’ll be taught how to approach risk management around the availability of data on your network and how to implement security for it. You’ll learn how to perceive threats, find out existing risks and systematically address them.

You can follow the process for the rest of your career and you’ll learn how to expand it beyond departments. For example, a solid list would likely focus on your IT department and on protecting data as it enters your systems. A framework like ISO 27001 expands protection to new areas such as the legal risks of sharing information so you avoid improper sharing through policy instead of a firewall.

So What Do You Do With ISO 27001?

What you need to do with the security standard is become certified. Certification — and don’t worry, we’ll help you find the best place to get certified in a later chapter — simply means that an independent organisation will look over your processes to verify that you’ve properly implemented the ISO 27001 standard. Once you’re found to be compliant, you’ll get a certification that you can display on your website, marketing materials and elsewhere.

To give you a thorough understanding of the ISO 27001 standard, let’s review some basics about its creation, special requirements for the standard and the fundamentals of the standard itself. To start, read the background that you can benefit from right away.

Why You Need ISO 27001 Certification

Securing ISO 27001 certification will show your employees and your customers that you can be trusted with their information. In some industries, companies will not select IT partners who do not have ISO 27001 certifications and it is often a requirement of federal or governmental data-related contracts.

The chief benefit of ISO 27001 is that it gives you a reputation for being a safe and secure partner. You won’t be seen as a potential threat to business from either internal or external problems. Many companies have found that ISO 27001 certification has led to an increase in profits and influx in new business. Some even report that ISO 27001 can reduce their operational expenses by introducing review processes into their business management.

Some of the benefits your organisation can expect when you introduce cybersecurity protections visible to your team and your clients include:

Cyber threats are on the minds of everyone. By showing the world that you’re prepared for threats, you can boost your business and potentially send malicious attacks elsewhere.

About the ISO and IEC

The ISO 27001 certification comes from the ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission).

Both organisations came together to create a special system that builds worldwide standardisation. The ISO and IEC have members from all over the globe who participate in standards development. ISO/IEC standards have become the preferred credentials for manufacturers, IT companies and customers across the globe.

Currently, ISO has published more than 19,500 standards covering technology and manufacturing.

Understanding Information Security Management Systems (ISMS)

Information security management systems (ISMS) are a fundamental part of the ISO 27001 because you’ll use the standard to establish and maintain this system. A good ISMS involves a systemic response to new risks, allowing it to grow and change alongside your business.

Every information asset must be covered by your ISMS and you’ll need to run checks whenever a new device or data set is added. The ISO/IEC standards recommend you follow a Plan-Do-Check-Act methodology to maintain your ISMS. The ISO 27001 will give you the framework to follow the methodology:

Act: Make any needed changes to improve the effectiveness of your program.

One essential piece of the ISMS is that you’re only being taught a method. ISO 27001 certification will give you the starting point that can keep your company safe. However, you can add to that as you wish. Some practitioners will layer a Six Sigmas DMAIC approach as well, in order to meet other requirements they may have.

Obtaining ISO 27001 empowers you to create and implement the best ISMS for your company. Adapt, adopt and grow at the scale that’s perfect for you.

Get Your Management’s Approval

One of the key differences of the ISO 27001 standard compared to most other security standards is that you’ll struggle with and potentially fail certification if your management is not working with you.

Adopting an ISMS isn’t an IT decision, it’s a business strategy decision. The process must cover every department and must work within all of your departments. An ISMS must be deployed across your entire organisation and that means you’ll have to address threats and risks that could start with any department.

ISO 27001 Standard: 6 Stages for Planning

ISO 27001 was created to provide you with a platform-neutral, technology-neutral approach to security risks. You’ll learn to address concerns individually as well as part of larger risk management policies and have a guide to creating your safety procedures.

The simplest way to view the entire process is by looking at its core values: a six-part planning assessment and procedure. Approach it from a top-down perspective and you’ll find success when you:

Define a security policy for your technology/platform/device/company.

Create a scope for your ISMS.

Perform risk assessments based on your results from 1 and 2.

Identify risks and create a management plan.

Determine appropriate metrics and controls used to track progress when the plan is implemented.

Craft a statement of applicability to guide policy changes.

These six pillars are broad steps that you’ll see throughout each of the main elements of the standard. IS0 27001 will help you maintain this high-level approach throughout documentation and audits, determining responsibility for implementation and controls, ongoing maintenance and upgrades, and risk-based activities to prevent breaches or react when they occur.

While you may be the individual seeking the certification, ISO 27001 guidelines perform best when your entire company is on board.

10 Sections for Success: ISO 27001 Control Checklist

The latest standard update — ISO/IEC 27001:2013 — provides you with 10 sections that will walk you through the entire process of developing your ISMS. Each of these plays a role in the planning stages and facilitates implementation and revision.

By continually walking through the control checklist, you’ll have a succinct ISMS that secures your network. With each new integration, data set, client portal and BYOD policy, run through the list again to stay safe and protected.

The sections of the new ISO 20071 standard are:

Scope

The standard lays out the requirements and provides a management context for you to create, implement, maintain and improve your ISMS. You’ll learn the requirements for making assessments of your security risks and how to manage them relative to your organisational structure.

Normative References

This section will discuss the other information and background you’ll need. While there is a family of standards in the 27000s, the only one specifically required is the ISO/IEC 27000. Other standards in this family are optional and may support your ISMS development. For certification purposes, you don’t need to study or read anything beyond the ISO 27000 and ISO 27001 standards.

Terms and Definitions

Here you’ll learn the terms in a brief glossary. This glossary has a planned obsolescence of sorts and will be replaced by information provided in the ISO 27000 standard. You don’t have to spend any additional funding: You can get a free online copy of the ISO 27000 overview and vocabulary from the ISO.

Context of the Organisation

This section teaches you how to take your organisational structure and needs into account when developing your ISMS. You’ll get help building the scope of the ISMS by looking at different departments’ interaction with your IT systems and defining all of the parties who use, provide, adjust or observe your data.

The goal is to “establish, implement, maintain and continually improve” your company’s ISMS.

Leadership

The ISO 27001 standard specifically calls for top management to be involved. This section shows you how to properly involve leadership throughout your company and what approvals you’ll need for implementing the ISMS. Go over this carefully and work with management so that you can clearly demonstrate their commitment to the ISMS as well as responsibilities for each individual section and process.

Involving management through a clearly stated plan is a big part of getting your ISO 27001 certification.

Planning

The planning stage will feel familiar to any developers, analysts, data specialists and business managers. You’ll get assistance with the creation of a workflow for identifying, reviewing and dealing with IT security risks. It will give you the structure to review threats in relationship to your company and the objectives you’ve provided for your ISMS.

Support

Because you’re dealing with a policy and not a prescribed plan, support will vary and requires a broad understanding of your assets and capabilities. The support section will help you define and secure adequate resources to manage an ISMS from implementation through reviews. Pay close attention to its discussion of how to promote awareness of ISMS policies within your organisation because ISO 27001 certification will require you to have a broad policy that can be applied across divisions.

Operation

Threat assessment is a continually evolving practice. The operational segment will help you review threat assessment and determine what types of information you should collect from your network. Get assistance noting and evaluating threats, manage your ISMS and allow for changes, and build a policy for documenting successes, failures and weaknesses.

Audits are essential to any IT security paradigm, and the ISO 27001 certification prepares you for a variety of threat assessments.

Performance Evaluation

Put your new knowledge into action with guidance on how to monitor your network, measure and analyse your processes, audit changes and view every IT security control relative to your KPIs. Bring your ISMS through all departments to look for proper implementation and check for threats. You’ll also improve your capabilities to improve your system. Essentially, you’ll be putting the entire Operation segment into practice with the capability to properly review and address changes.

Improvement

The core of ISO 27001 certification is to get better at threat analysis and management.

The improvement section will help you review your auditing process as well as the audits themselves. When you identify problems and concerns through auditing, you can then determine which are true threats and need a corrective action. Beyond known threats, the improvement process helps you create a maintenance scheduled for continual improvements to your platform. You will learn standard maintenance strategies as well as develop procedures to add audits or reviews when new data is added.

These 10 sections form the backbone of the ISO 27001 standard and certification.

Please note that the documentation you get when reviewing the specification will also include an introduction and a reference annex.

The introduction and annex aren’t included in our list because ISO documentation notes that you can deviate from the annex, so you won’t necessarily need to review those steps during your ISMS’s further development and update planning. The annex itself is listed as “normative,” so you are expected to use it during the initial creating of your ISMS.

ISO 27001 Certification Process

The certification process for the ISO 27001 standard can be over in as quick as a month and only has three main steps for you to follow: Application, Assessment and Certification.

Application: Here you’ll simply work with a partner to register for the certification process. There’s a specific ISO 27001 Quote Request Form that gives your certification partner information about your organisation so that they can have an accurate estimate of your business and what to check for in their audit.

Assessment: We’ll review your business, the processes and the implementations that are noted on the Initial Certification Audit form. Your company will need to demonstrate that your ISMS has been implemented and fully operations for at least three months. We’ll also need to see a full cycle of internal audits. The assessment has two stages that are important to you:

Stage 1 — Verify that you’re ready for an audit and assessment.

We’ll confirm that your ISMS meets standards and best practices.

Determine ISMS implementation status.

Review scope of certification.

Check that you meet legal and legislative compliance for your area.

Develop a report that notes your non-compliance areas and areas for improvement.

Create a plan that covers any corrective action.

Produce an assessment used to begin stage two assessments and testing.

Stage 2 — Execute an audit to review your ISMS and certify it is functioning properly.

Create a new surveillance report that reviews your system and puts forth a date for your first annual surveillance visit.

Certification: ISO 27001 documentation will be issued by your certification partner and you will set up a program of annual surveillance audits plus a three-year audit program in order to receive the certification.

By working with a smart partner, you can also get pre-certification training and reviews to ensure that you’re ready when the certification process begins. Don’t be shy: Always ask about options to help you prepare for ISO 27001 certification and for help maintaining requirements after the initial certification is awarded.

We also recommend a gap analysis before you start the certification process. This analysis allows you to determine any likely workload and timing for implementing an ISMS (or improving your existing ISMS) that will allow you to achieve ISO 27001 certification. Gap analysis is a very good value if you plan on bringing in outside professionals for ISMS development because you’ll be able to provide them with an understanding of the scope you need.

Part of the whole certification process is producing reports and policies that should guide your ISMS development and your internal audits. These can be a great place to begin because you’ll need to perform initial audits to generate some of these reports. The ISO 27001 standard itself will provide you with information you need to understand and develop required documents.

Mandatory Certification Requirements: Document List

To get started with your journey to the ISO 27001 certification, you should pick up a copy of the ISO documentation from the standards body. Don’t trust documents you find from an outside source unless they’re also an officially licensed provider of certifications.

The latest version of the ISO 27001 standard provides a list of required documents to ensure you adhere to the standard and can meet your certification. Some of the documents are also listed as optional, but we recommend that you create these optional documents because they directly target new trends in the workforce, new technologies and important business analysis.

Numbers provided near the document are a reference for explanations, requirements and more in the ISO standards documentation. For any document listed with an Annex location, you’ll need to review your processes closely. These documents are required if they’re applicable to your business. When getting certified, the third-party will determine if you need any of those documents, so review these closely and consider developing these documents just in case.

Documentation For ISO 27001 Adherence and Certification

Document Name

Clauses

Annex Clauses

Documents that you must generate

Scope of the ISMS

4.3

Information security policy and objectives (may be split into two documents

5.2, 6.2

Risk assessment and risk treatment methodology

6.1.2

Statement of Applicability

6.1.3 d

Risk treatment plan

6.1e, 6.2

Risk assessment report

8.2

Definition of security roles and responsibilities

7.1; 13.2.4

Inventory of assets

8.1.1

Acceptable use of assets

8.1.3

Access control policy

9.1.1

Operating procedures for IT management

12.1.1

Secure system engineering principles

14.2.5

Supplier security policy

15.1.1

Incident management procedure

16.1.5

Business continuity procedures

17.1.2

Company requirements: statutory, regulatory, and contractual

18.1.1

Records you must keep and maintain

Employee experience, qualifications, skills and certifications

7.2, 7.2

Monitoring and measurement results (baselines and new)

9.1

Internal audit procedures

9.2

Internal audit results and recommendations

9.2

Management review results and recommendations

9.3

Corrective action results and recommendations

10.1

Logs by user: activities, exceptions, security events and flags

12.4, 12.4.3

Optional but recommended documents

Document control procedures

7.5

Record management procedures

7.5

Internal audit guidance and review procedures

9.2

Corrective actions guidance

10.1

Bring your own device (BYOD) policy

6.2.1

Mobile and teleworking policy

6.2.1.

Information classification directive

8.2.1, 8.2.2, 8.2.3

Password policies for ISMS and users

9.2.1, 9.2.2, 9.2.4, 9.3.1, 9.4.3

Data and e-waste disposal and destruction policy

8.3.2, 11.2.7

Secure area processing and access requirements

11.1.5

Clear desk and clear screen policy

11.2.9

Change management policy

12.1.2, 14.2.4

Data storage and backup policy

12.3.1

Digital data transfer policies

13.2.1, 13.2.2, 13.2.3

Business impact and development analysis procedures

17.1.1

Maintenance and review plan

17.1.3

Business continuity strategy

17.2.1

Where Should You Get Certified?

You need to turn to a trusted partner when it comes to your ISO 27001 certification. Don’t put your company’s future in the hands of someone who doesn’t have a strong reputation for proper audits, valid certifications and the ability to help companies meet their goals.

We work with all of our customers to ensure that they have the right processes in place to achieve certification. When any ISMS is found lacking, we’re here to work with you to create and implement strategies to address gaps we detect. You can have experts review your process and proper implementation so you don’t have to worry about creating the right platform and company mindset to achieve your goals.

Reduce the risk your company faces and improve your company’s reputation by working with NQA for all of your ISO 27001 preparations and certifications.

Appendix 1: Meeting Threats Through ISO 27001

NQA recommends that you undertake ISO 27001 training and certification because it can help you make the case to your business partners that you’re ready for the modern digital world. To help you make that case to your management — or to vendors you like and wish would adopt the ISO 27001 standard — we’ve prepared a brief explanation of how ISO 27001 can help you address some of the top problems digital industries face.

Risk Management Assurance. Customers demand strong risk management. The only way to prove that you have correct policies in place is to show certification and outside verification. ISO 27001 proves that you take cyber threats seriously and have prepared to address them. Certification is a clear sign that you not only have the policies in place but that you continually update and improve in order to keep your data safe.

Data Breaches. A single breach can bring down a small or mid-sized vendor. Large companies can only survive a handful, if they’re lucky. ISO 27001 audits offer great protection because they limit your vulnerability. Audits highlight potential breaches and can put other risks into focus by using the security risk framework you learn. ISO 27001 will help you prevent breaches, guarding you against customer litigation and even potential regulatory action.

Legal Compliance. We’ve focused our work on data security all around the world. There are many different laws that can be satisfied by ISO 27001 certification, and some like the UK Data Protection Act have proven track records of ISO 27001 acceptance. Implementing the standard will help you stay compliant and using NQA as your partner will ensure that you have the most relevant legal checks when you undergo any audit or review.

Lapses in Attention. At the core of the ISO 27001 standard is a security mindset. The audit process and ISMS development provide a company-wide focus on security and can make every department accountable. By spelling out who is in charge of which function and who must ensure each team member adheres to policies, you have begun to implement a strong cybersecurity protection plan.

Information Management and Access. Control over your data is vital for your business, not just for the ISO 27001 certification process. By implementing a new focus through these audits and reviews, you can determine areas that may create bottlenecks and gaps in the access, management and protection of your data. Strong audits from partners such as NQA also help you determine gaps and issues in areas where your customers access your data. That can improve customer relationships and protect you against excess liability.

These are just some of the top conversations you can have with your customers and your management to show how beneficial ISO 27001 certification is. Contact NQA today for help making the case and answers to how this certification can apply specifically to your business.

Appendix 2: Glossary

ISO: International Organisation for Standards — one of the two bodies responsible for creating the certification and managing its credential authentication.

ISMS: Information Security Management System — set of company policies that create a process for addressing information security, data protection and more to prevent data loss, harm, theft and errors within a company and its culture, not just its IT systems.

IEC: International Electrotechnical Commission — one of the two bodies responsible for creating the certification and managing its credential authentication.

KPI: Key Performance Indicator — a business metric used to evaluate elements that are key to the success of a program or an organisation as a whole.

Audit: Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

Availability: Property of being accessible and usable upon demand by an authorised entity.

Confidentiality: Property that information is not made available or disclosed to unauthorised individuals, entities, or processes. See 27000 2.61 for help applying this to certifications.

Continual Improvement: Recurring activity to enhance performance. Will require a specific definition in relationship to your individual requirements and processes when asked for in audit documentation.

Control: Measure that is modifying risk. See 27001 2.68 for application assistance.

Correction: Action to eliminate a detected nonconformity during your audit and review processes. When compared to “Corrective Action” view this as treating a symptom and the “Action” as curing a disease.

Corrective Action: Action to eliminate the cause of a nonconformity and to prevent recurrence. This usage specifically notes action you’ll take to remove root causes.

Documented Information: Information that must be controlled and maintained by you and secured by the medium you use to collect it. This can be information in any format, from any source, and will require an audit history when documents request it.

Effectiveness: An estimated and then proven measure of the extent to which planned activities are realised and planned results achieved.

Executive Management: Person or group of people who have delegated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organisation. See 2.29 and 2.57 for help determining your governing body and the scope of this management.

Information Security: Preservation of confidentiality, integrity and availability of information. Secondary properties may include authenticity verification, accountability, reliability and other elements based on your ISMS.

Indicator: A measure that provides an estimate or evaluation of specified attributes derived from an analytical model (with respect to defined information needs).

Integrity: Property of accuracy and completeness in reviews, audits and more.

Interested Party: Person or organisation that can affect, be affected, or perceive themselves to be affected by a decision or activity undertaken by an ISMS, agent, employee or other party you authorise.

Level of Risk: Magnitude of a risk expressed in terms of the combination of consequences and their likelihood. Further explanation available in 2.14 (consequences), 2.45 (likelihood of risk) and 2.68 (risk magnitude)

Management System: Set of interrelated or interacting elements of an organisation to establish policies, objectives and processes to achieve those objectives. Management systems can address single or multiple disciplines and must include a variety of elements such as roles, responsibilities, planning, operations, organisational structure, and more.

Measurement: Process to determine a value. This may seem vague to some but it is important because it notes that you’re required to determine proper measurements for your ISMS implementation.

Metrics: Elements of your business used to evaluate performance and effectiveness of your ISMS and information security controls. You’ll see this in documentation from auditors, but not in the specifications themselves.

Monitoring: Determining the status of a system, process or activity. Monitoring is about status and then shifts focus when events occur.

Non-conformity: Non-fulfilment of a requirement as defined by the ISMS.

Objective: Strategic, tactical or operational result to be achieved. Objectives can differ greatly and audits will need a strong structure to properly express objectives in order to evaluate them.

Outsource (verb): Make an arrangement where an external organisation performs part of an organisation’s function or process. ISMS must review and specify all outsourcing options. Controls and responsibilities must be extremely clear when outsourcing any element.

Performance: Measureable result that can relate either to quantitative or qualitative findings.

Policy: Intentions and direction of an organisation as formally expressed by its top management.

Process: Set of interrelated or interacting activities which transforms inputs into outputs.

Reliability: Property of consistent intended behaviour and results across audits, methodology and reviews.

Requirement: Need or expectation that is stated, generally implied or obligatory. “Generally implied” is listed when the necessity of custom or practice is implied.

Residual Risk: Risk that remains after a risk treatment. These can contain unidentified risks and may also be listed as “retained risks” in auditor information.

Review: Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives.

Risk: The effect of uncertainty on objectives, including real and potential events. See 2.14 through 2.89 for a better understanding of risk, its positive and negative elements, and how it can relate to a variety of situations.

Risk Owner: Person or entity with the accountability and authority to manage a risk and related responses.